Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nrf_security: Refactor Cracen IKG keys #18796

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

nrf_security: Refactor Cracen IKG keys #18796

wants to merge 1 commit into from
+184 −46

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Nov 11, 2024

This fixes an issue where the KMU keys 0-2 on the nRF54L15 cannot be used to store keys.

This refactors how we handle the IKG key IDs for
Cracen. Before this change we used the internal
Cracen IKG key identifiers inside the builtin key
driver. This had an issue because both the KMU keys and the IKG internal key IDs share the IDs 0-2.

To avoid this collision the IKG handling is refactored to use the reserved Cracen PSA key identifiers in the driver level and only use the internal key intentifiers deeper in the implementation in order to avoid the conflicts.

This also removes unused structs related to the IKG keys and unused code as well.

@Vge0rge Vge0rge requested a review from a team as a code owner November 11, 2024 12:02
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Nov 11, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 11, 2024
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 7

Inputs:

Sources:

sdk-nrf: PR head: f92ecb427a23aa57baf3050b8224d43401f6a54b

more details

sdk-nrf:

PR head: f92ecb427a23aa57baf3050b8224d43401f6a54b
merge base: 68623068aed6482998f1eff6df828b051c7bb48f
target head (main): 68623068aed6482998f1eff6df828b051c7bb48f
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (5) 
subsys
│  ├── nrf_security
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  ├── cracen
│  │  │  │  │  ├── cracenpsa
│  │  │  │  │  │  ├── include
│  │  │  │  │  │  │  │ cracen_psa_key_ids.h
│  │  │  │  │  │  ├── src
│  │  │  │  │  │  │  ├── common.c
│  │  │  │  │  │  │  ├── key_management.c
│  │  │  │  │  │  │  ├── platform_keys
│  │  │  │  │  │  │  │  ├── platform_keys.c
│  │  │  │  │  │  │  │  │ platform_keys.h

Outputs:

Toolchain

Version: b77d8c1312
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:b77d8c1312_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ❌ Build twister
    • sdk-nrf test count: 1636
  • ❌ Integration tests
    • ❌ test-fw-nrfconnect-chip
    • ❌ test-fw-nrfconnect-nrf_crypto
    • ❌ test-fw-nrfconnect-tfm
    • ❌ test-sdk-find-my
    • ❌ test-sdk-sidewalk
    • ❌ test-sdk-dfu
    • ⚠️ test-fw-nrfconnect-nrf-iot_cloud
Disabled integration tests
    • desktop52_verification
    • doc-internal
    • test_ble_nrf_config
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-boot
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_mosh
    • test-fw-nrfconnect-nrf-iot_nrf_provisioning
    • test-fw-nrfconnect-nrf-iot_positioning
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-ps
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-thread
    • test-fw-nrfconnect-zigbee
    • test-low-level
    • test-sdk-audio
    • test-sdk-mcuboot
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@github-actions GitHub Actions
Copy link

This pull request has been marked as stale because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 7 days. Note, that you can always re-open a closed pull request at any time.

@github-actions github-actions bot added the Stale label Dec 16, 2024
@Vge0rge Vge0rge force-pushed the ikg_key_refactor_fix branch from 9e37e74 to 50361eb Compare December 27, 2024 10:57
@Vge0rge Vge0rge requested a review from tomi-font December 27, 2024 11:29
@Vge0rge Vge0rge force-pushed the ikg_key_refactor_fix branch from 50361eb to 4ba3abc Compare December 30, 2024 09:54
@Vge0rge
nrf_security: Refactor Cracen IKG keys
f92ecb4 
This refactors how we handle the IKG key IDs for
Cracen. Before this change we used the internal
Cracen IKG key identifiers inside the builtin key
driver. This had an issue because both the KMU keys
and the IKG internal key IDs share the IDs 0-2.

To avoid this collision the IKG handling is refactored
to use the reserved Cracen PSA key identifiers in the driver
level and only use the internal key intentifiers deeper
in the implementation in order to avoid the conflicts.

This also removes unused structs related to the IKG
keys and unused code as well.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge Vge0rge force-pushed the ikg_key_refactor_fix branch from 4ba3abc to f92ecb4 Compare December 30, 2024 09:54
tomi-font
tomi-font reviewed Dec 30, 2024
View reviewed changes
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c
static bool cracen_is_ikg_key(const psa_key_attributes_t *attributes)
{
#if CONFIG_PSA_NEED_CRACEN_PLATFORM_KEYS
return cracen_platform_keys_is_ikg_key(attributes) ? true : false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return cracen_platform_keys_is_ikg_key(attributes) ? true : false;
return cracen_platform_keys_is_ikg_key(attributes);

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
{
if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
PSA_KEY_LOCATION_CRACEN) {
return cracen_get_ikg_opaque_size(attributes);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like you forgot to update this reference?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomi-font tomi-font tomi-font requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Vge0rge @NordicBuilder @tomi-font @endre-nordic